ED-209 anyone???
http://www.youtube.com/watch?v=mrXfh4hENKs

Shouldn't it be 'walk upstairs'? We know he lives in his parents' basement. (All IT people eventually end up working/living in a basement. We feel more comfortable there for some reason...)

I can't help notice how many posts on this thread have encouraged the poster to 'run and hide' since he's OBVIOUSLY broken the law.
I'm not so sure that's the case. Many vulnerabilities such as this (especially SQL injections) can be discovered using nothing more than Google dorks. In that scenario, It is Google that has (unintentionally) breached the company's security. The poster is simply accessing information that has been indexed by a search engine. Even if he found it directly, that doesn't mean he broke the law. I've found SQL injections on accident before simply by typing "O'Donnell" into a text box. (That single quote is a Bit**!)
I'm not saying that is what happened here. But don't assume that one has to break the law in order to discover a vulnerability. Google has indexed credit card numbers and other sensitive data in the past. And it's not Google's fault either. If their web spiders are able to scrape it, some web developer screwed up BIG-TIME...

As for advice, I'd say-
1. Document all communications with the company in question. It'll be harder for them to accuse you of wrongdoing if your first action was to inform them of the problem.
2. DO NOT EXPLOIT THIS VULNERABILITY! Or you actually are breaking the law.
3. Report the company in question to VISA, MC, AMEX, etc. You might have broken the law. But they are in violation of PCI-DSS. The company might not listen to you, but once they've got the card companies breathing down their neck they'll correct the issue. (Or they'll get shut down by their payment processor.)
4. Consult an attorney. You are in jeopardy of being blamed if the company does lose data, regardless of the facts. Regardless of legality, it doesn't sound like you have done anything immoral. Don't be their scapegoat.
5. If they do come after you, BE LOUD! The company in question has through their incompetence, screwed their customers. At some point they will have to weigh their options. The person who said 'There's no such thing as bad publicity.' did so before there was such a thing as the Internet. If coming after you means losing customers?

In any case, Good Luck! I've been where you are and it's not a comfortable position...
 

If you're near D.C./Baltimore at all the NSA runs the National Cryptographic Museum at Fort Meade. It doesn't get any geekier than that. The VLA is a lot of fun as well. It's a great picnic spot. (But if you're trekking across NM there's also White Sands Nat. Mon. And the Southeast corner of the state has a couple of real 'gems'- Roswell, where you can get your LGM fix and Carlsbad Caverns where you can go hiking for miles underground in the most beautiful setting you can imagine!) Oh and if you're in Arizona at all check out the Meteor Crater! It's off I-40 near WInslow...

Um, two reasons- 1. Going to Verizon would only get them historical data. As in 'Here is all the location data we have for the last month. In addition, the suspect in this case wasn't using a phone. He was using a broadband data card to file fraudulent tax returns. So GPS might not even be an option. So they would be limited to network location data. The 'Stingray' however, tracks devices in real time from the back of a van that's driving around with SWAT guys in the back. It's the difference between them knowing where you were last week and looking for you actively RIGHT NOW. In this case the suspect was tracked to the apartment building he lived in. Agents then went to the apartment manager and got the lease applications for the tenants. One of those applications used a fake ID and (surprise!) a fraudulent tax return from the agents' investigation to pass the credit check. 2. Different legal standards apply to 'Stingray' type devices than requests to providers. Use of these devices requires only a court order. (Different from a warrant.) Had the suspect been more savvy and used a clean ID and spent a few thousand of those stolen millions on a botnet proxy/VPN he would likely still be at large. The real thing protecting citizens from abuse of this kind of tech is $. In order to deploy one of these you've got to put some trained agents on the ground. It costs thousands of dollars a day to even try to find someone with a stingray. Realistically by the time they pull one of these out of the closet and dust it off, they already have enough evidence to arrest. I find carriers snooping to be much more invasive.

'Stingray's do not intercept communication. That's why they get around the wiretapping warrant requirements. They are designed to spoof the carrier's tower in order to ascertain only the location of a mobile device. So I don't see wiretapping as the issue. What IS troubling however is the fact that once law enforcement has found the suspect/device they as a rule WIPE THE DATA from the stingray. They've been doing this supposedly to prevent defendants/criminals learning how they were caught. The issue is that a judge signs a court order approving the use of the Stingray. Then after gathering evidence, law enforcement DESTROYS that evidence instead of handing it over to the court for review. All this to prevent the defendant from getting it during discovery. That practice will likely stop soon since it's motive was to keep the device itself a secret. Now that it's use is public knowledge, there's no reason to continue the charade...